Solved: WSA redundancy and WCCP questions

Andrey Kornienko · ‎03-04-2013

Hello! My customer bought a pair of S370 WSA prior to deployment planning. I need to deploy both of them into existing network and I'd like to ask few questions with somebody who knows how to do it.

1. As I know from manuals, WSA doesn't support any clustering but I'd like to use both of my S370 for redundancy. I'm planning to use WCCP only, no explicit proxy mode will be used. What methods can I use to deploy redundant WCCP cache on pair of WSA? If it possible, I'd prefer to use something like Active\Passive but not load balancing scheme. Does it have Centralized management feature like ESA to share configs between devices?

2. I have fusion router which "mixes" traffic from different vrf. Is it possible to configure router such way that every vrf(which corresponds every interface and different subnets) will be seen with its own ip address in internet or all of them will be using just WSA's address like in explicit proxy mode?

3. When I tried to test my WSA in explicit proxy mode prior to configuring WCCP, I found out that I can use it as a proxy without any authentication, just setting it's address and port in my browser. How can I disable explicit proxy mode or set any authentication(no LDAP or NTLM) to prevent unauthorized access to using my proxy?

I'm newbie with IronPorts so I will appreciate any help including links to manuals

stojanr · ‎03-09-2013

The WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.

As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.

Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.

I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..

Sent from Cisco Technical Support iPad App

View solution in original post

stojanr · ‎03-09-2013

The WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.

As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.

Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.

I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..

Sent from Cisco Technical Support iPad App

Christian Rahl · ‎03-13-2013

The current versions of WCCP do not support fail over or active/passive, yet. There are plans for WCCP to support that down the road.

Christian Rahl

Customer Support Engineer

Cisco Web Content Security Appliance

Cisco Technical Assistance Center RTP

sadik.sener1 · ‎06-19-2017

Hi,

WSAs don't support clustering seen in ESAs

Is this answer still valid? Any update on the technology?

From my searches i've understood that on WSA

1- Failover group for explicit proxy continium,

2- SMA for central logging and management

will make me achieve

1- no outages on explicity proxy

2- same policies on each boxes managed from central location.

Am i correct?

Kind regards

Ken Stieers · ‎06-19-2017

Correct, there is no equivalent "clustering" on the WSA. No change in the technology.

You're correct on your second 2 statements also.

SMA also lets you centralize reporting...

sadik.sener1 · ‎06-28-2017

Hi Ken,

sorry for proceeding with questions everytime. I can not find proper documentation online and can not make sure.

My new question is, i want to deploy explicit proxy ha in active active mode.

I know the builtin ha works in active passive from examples. Does it also work active active?

If not, i am gonna proceed with a load balancer as a distribution point in order to utilize both boxes.

Kind regards

Sadik

Ken Stieers · ‎06-28-2017

Basically, the intention of the built-in HA is for it to transparently move the proxy address to a box that's up... its really intended for active-passive installs.

If you want active-active, you don't need to use the built-in HA

There are a few ways to get the data flow to the boxes:

1. a web load balancer

2. a pac file (I don't know the syntax, but I do know that you can specify multiple proxies)

andresmen598 · ‎11-03-2017

Good day,

I would like to know if there is any document that shows the step by step to perform the configuration of load balancing and HA for a WSA and vWSA through WCCP in a Cisco ASA Firewall.

On the other hand I have the doubt when this type of configuration is done as it is done so that when making some configuration change replicate in the two WSA (physical WSA and virtual vWSA).

Thank you in advance for the collaboration and help you give me.

WSA redundancy and WCCP questions

WSA/ASA: WCCPの設定方法

WSA Transparent WCCP Options (FTD or 4500X Switch WCCP)?

Cisco WSA Redundancy

WSA Connect question

WCCP Redirection ISSUE for WSA